cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10835
Views
0
Helpful
6
Replies

Problems with WCCP - Squid v2.7 + Cisco ASA 5510 v8.2

brettrandall
Level 1
Level 1

Hi all

I'm having problems setting up a new ASA 5510 with WCCP to our Squid server (worth nothing that we've never used WCCP before, so this is a first).

We've created a GRE tunnel on the Squid box (running Linux):

# iptunnel add gre1 mode gre remote 10.0.0.251 local 10.0.0.80 dev eth0
# ifconfig gre1 127.0.0.2 up

(where 10.0.0.251 is the internal interface of our ASA and 10.0.0.80 is the IP of our squid proxy server)

Then we've set up iptables to redirect port 80 to our proxy on port 8080:

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

Our Squid 2.7.STABLE3 config file contains:

http_port 10.0.0.80:8080 transparent
wccp2_router 10.0.0.251

We can tell that WCCP connects because in the ASA we have:

HCHFW# sh wccp

Global WCCP information:
    Router information:
        Router Identifier:                   1.2.3.2
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            5242
        Redirect access-list:                wccp_proxy
        Total Connections Denied Redirect:   622
        Total Packets Unassigned:            118
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

(for some reason, the "router identifier" is the outside IP of the ASA rather than the inside IP - according to Cisco documentation, this shouldn't matter, but I'm not so sure - I've tried creating iptunnel with both router identifiers though and didn't make a difference). As can be seen, the cache has connected fine and packets are being redirected.

However, clients are getting timeouts when trying to browse the internet. In the ASA logs, I'm seeing:

3|Apr 17 2010 10:19:13|313001: Denied ICMP type=3, code=3 from INT-PROXY on interface inside
4|Apr 17 2010 10:19:13|313005: No matching connection for ICMP error message: icmp src inside:INT-PROXY dst identity:1.2.3.2 (type 3, code 3) on inside interface.  Original IP payload: protocol 47 src 1.2.3.2 dst INT-PROXY.

"INT-PROXY" is the name for our 10.0.0.80 host (the proxy server). From my limited experience, it looks like our proxy is trying to connect back to our outside IP instead of inside IP, even though the GRE tunnel and squid.conf have pointed it to the inside IP. Am I interpreting this correct?

Any help in figuring out why WCCP is timing out would be greatly appreciated! Some of the more relevant parts of the config are at the bottom of this post.

Thanks

Brett.

interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 1.2.3.2 255.255.255.252
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.251 255.255.255.0
!

route outside 0.0.0.0 0.0.0.0 1.2.3.1 1
route inside 10.0.0.0 255.0.0.0 10.0.0.1 1

global (outside) 1 2.1.1.1 netmask 255.255.255.192
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
name 192.168.253.0 VPNIPRange
access-list inside_nat0_outbound extended permit ip any VPNIPRange 255.255.255.0

access-list wccp_proxy extended deny tcp host 10.0.0.80 any eq www
access-list wccp_proxy extended deny tcp host 10.0.0.34 any eq www
access-list wccp_proxy extended deny tcp host 10.0.0.113 any eq www
access-list wccp_proxy extended permit tcp 10.0.10.0 255.255.255.192 any eq www
access-list wccp_proxy extended permit tcp 10.0.0.0 255.255.255.0 any eq www
access-list wccp_servers extended permit ip host 10.0.0.80 any

wccp web-cache redirect-list wccp_proxy group-list wccp_servers

wccp interface inside web-cache redirect in

6 Replies 6

brettrandall
Level 1
Level 1

Bump

I have an almost identical config with the exact same problem. Any luck?

Hi Andy

We did eventually get this working. The key  things were:

1. The remote IP used in the iptunnel  needs to be the router identifier that the PIX/ASA presents. So in our  case, we needed to change the iptunnel IP to 1.2.3.2. However in squid.conf, the wccp2_router config entry needs to point to the internally contactable interface of your PIX/ASA (in our case, 10.0.0.251).

2. The iptables rule on your proxy server needs to have the "gre1" interface specified (e.g. iptables -t nat -A PREROUTING -i gre1 -p tcp --dport 80 -j REDIRECT --to-port 8080).

3. We have since upgraded to Squid 3.0 as well (even though we had this working in the end with 2.7). Unusually, we couldn't get it working with the same "transparent" line in squid.conf, so we now have:

http_port 8080
http_port 10.0.0.80:8088 transparent

And our iptables rule redirects to port 8088 instead of 8080. Seemingly there was some kind of bug which allowed the normal proxying and transparent proxying to happily occupy the same port in earlier versions of squid, that v3 doesn't allow.

Hope this helps.

Brett.

brettrandall
Level 1
Level 1

And I should also point out that the "rp_filter" stuff IS important. If your system has /etc/sysctl.conf, make sure you set:

net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

net.ipv4.ip_forward=1

Then either reboot (probably there is a better way to re-apply this file), or else manually set all the "rp_filter" files in /proc/sys/net/ipv4/conf/* to "0".

Brett.

Instead of wccp i will suggest for route maps. pls check below guide for the same,

http://www.vmwareandme.com/2013/10/guide-how-to-redirect-http-traffic-from_23.html

That does work, however has a few failings which is why we went with WCCP:

  • If the proxy server is unavailable, traffic will stop routing with route-maps. With WCCP, it removes the proxy from the list, and if there are no proxies remaining, the traffic will continue going out without being proxied.
  • WCCP allows you to have multiple proxy servers and it will load share between them.
  • You can't accidentally take your network down with WCCP. Due to fat fingers, that has occasionally happened with incorrectly configured route-maps ;-)

That all said, route maps are much easier to set up and may suffice for many people.

Brett.

Review Cisco Networking for a $25 gift card